Castellan-compatible key store is a base service
Per the past year of discussions, culminating in the most recent mailing list thread[*], it's apparent that providing a consistent solution for storage of key material and similar secrets by security features of various OpenStack services is in the best interests of the project. By providing this guarantee in the base services set, projects don't need to worry about implementing insecure fallback alternatives or needlessly duplicating functionality to cope with the lack of an already-available solution. [*] http://lists.openstack.org/pipermail/openstack-dev/2018-May/130567.html Change-Id: Ia46211f41726d5671bf28a632d17fc56965b6fcc
This commit is contained in:
parent
94abc873f1
commit
2e93447e66
|
@ -37,6 +37,18 @@ the system which may also benefit from using it.
|
|||
Current list of base services
|
||||
=============================
|
||||
|
||||
**A Castellan-compatible key store**
|
||||
OpenStack components may keep secrets in a key store, using Oslo's
|
||||
Castellan library as an indirection layer. While OpenStack provides a
|
||||
Castellan-compatible key store service, Barbican, other key store backends
|
||||
are also available for Castellan. Note that in the context of the base
|
||||
services set Castellan is intended only to provide an interface for
|
||||
services to interact with a key store, and it should not be treated as a
|
||||
means to proxy API calls from users to that key store. In order to reduce
|
||||
unnecessary exposure risks, any user interaction with secret material
|
||||
should be left to a dedicated API instead (preferably as provided by
|
||||
Barbican).
|
||||
|
||||
**An oslo.db-compatible database**
|
||||
OpenStack components store data in a database, using oslo.db as an
|
||||
indirection layer. While most OpenStack deployments use MySQL, other
|
||||
|
|
Loading…
Reference in New Issue